You might have heard about the big Facebook data leak last week, over 500 million Facebook users were affected. The published data included personal information like phone numbers and email addresses. Facebook claims this was data scraped from public sources but in the end, the source doesn't really matter to affected users, only that the data could now be abused. And this not only happens to Facebook, personal data breaches regularly happen everywhere on the internet. This is why I wanted to make a brief video on basic tips for finding out which, if any, of your personal information has been leaked and steps to avoid as much damage as possible.
Aside from obviously keeping an eye on news about big data leaks, the website haveibeenpwned.com is one of the best sources for checking for leaked data. Instead of publishing the raw data, which would obviously be counter-productive in protecting against leaks, you need to enter the email address or phone number you want to check. Entering this on a seemingly random website might seem strange at first but haveibeenpwned has been around for a long time and is very reputable. Its database is actually used by several password managers like 1Password and Bitwarden or tools like Firefox Monitor for their built-in data breach reports. The search data is also never explicitly stored anywhere but only used for retrieving data from their storage. They provide more info about that in the privacy section. After entering an email address or phone number, you will receive a list of data breaches it was involved in. I've entered an address that I know has been leaked in multiple breaches so there are quite a lot of results. To get regular updates, you can also get notified about future data breaches or even search for domain names.
This is especially helpful if you're using your own domain name with multiple addresses. The website also provides a search tool for leaked passwords. While the privacy page illustrates that the provided password will be hashed and only part of the hash is sent to haveibeenpwned to match for leaks, I would not recommend it as a general rule. I do trust the website and they would not receive the original password but I think it sets the wrong example. Any password that's entered anywhere besides the intended website should be considered compromised. This also leads me to the frequently repeated tip: Do not reuse passwords. It's only a matter of time until it gets leaked and you don't want it to be the password to everything. I've made videos about password managers and how to manually choose good passwords in the past. Having unique passwords for every service is one of the best defenses against data leaks. This can also be applied to email addresses. There are disposable email addresses, some email providers allow adding characters to existing addresses or you could buy your own domain name for generating infinite custom addresses. I hope this video provided some helpful tips for improving your online security, I'll see you in the next one.